CVE-2024-20251
Stored Cross-Site Scripting
4.8 (Medium)
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Cisco Identity Services Engine
below: 2.7, 3.0, 3.1P8, 3.2P5, 3.3P1
Stanisław Koza
The vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack against a user of the interface on an affected device.
This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
- Log-in as any low privileged user
- In the network devices tab click on any colored part of the char
- You will be taken to https:///admin/#pulloutLandingPage?pulloutView=cisco/ise/features/visibility/matrixviews/views/DevicesMatrixView, now choose any device from the list and export it using the "Export selected" option. In the next window choose "Importable only".
- Open exported file with any text editor and change User-Name to
"AAAA<img src='' onerror=alert(document.domain)>"
- Upload modified file using the "Import" > "Import From File" functionality
- Now locate the device in the list of devices and press it's name (it's worth to note that this payload can be fired also as an admin user).
- The XSS payload will execute
- 19-07-2023 - Vulnerability reported to vendor
- 19-07-2023 - First response from the vendor
- 10-01-2024 - Security advisory is published by the vendor
- 13-05-2025 - PoC published